Thirdweb, a web3 development platform, disclosed a concerning vulnerability in its open-source library that affects multiple collections of non-fungible tokens (NFTs). The company identified this vulnerability on November 20, specifically targeting pre-built smart contracts provided by Thirdweb, although they did not specify which collections might be affected.
The seriousness of the situation escalates when considering that NFT collections are a crucial part of the digital assets market, and any vulnerability in these smart contracts could have significant consequences for users and owners.
IMPORTANT
On November 20th, 2023 6pm PST, we became aware of a security vulnerability in a commonly used open-source library in the web3 industry.
This impacts a variety of smart contracts across the web3 ecosystem, including some of thirdweb’s pre-built smart contracts.…
— thirdweb (@thirdweb) December 5, 2023
OpenSea, one of the leading NFT exchange platforms, was quick to respond and confirmed that some collections on its platform were affected by this vulnerability. The platform is collaborating with Thirdweb and the owners of the impacted collections to address and mitigate security issues. OpenSea urged users to stay informed about how the platform can assist affected owners during the contract migration process.
We are in touch with @thirdweb about the security vulnerability impacting some NFT collections. Stay tuned for more info on how we can assist affected collection owners with any changes on OpenSea tied to contract migration. Please read @thirdweb’s post below for more detail. https://t.co/HU6bmXWU7U
— OpenSea (@opensea) December 5, 2023
NFT Platforms Alert Their Users
Coinbase NFT also commented on the situation, stating that it was notified of the vulnerability on December 1 and that it affects “some collections on Coinbase created with Thirdweb.” Like OpenSea, Coinbase is actively working to address security concerns and collaborate with the owners of impacted collections to take necessary actions.
1/ The Coinbase team was informed at 9p PT on Fri 12/1 by @thirdweb of a security vulnerability in a common open-source library, impacting some NFT collections on Coinbase NFT created with thirdweb.
There has been no breach of the Coinbase platform. Customer funds remain secure. https://t.co/elRGxjysif
— Coinbase NFT 🛡️📞 (@Coinbase_NFT) December 5, 2023
Coinbase’s Layer 2 network, Base, also reported that the vulnerability affects some of the NFT contracts deployed on its network. Particularly, the development and appearance of such vulnerabilities highlight the interconnectedness of ecosystems in the blockchain space, where issues on one platform can have ramifications on others.
Thirdweb reported that, to their knowledge, the vulnerability has not been exploited in any of the projects using their smart contracts. However, the company emphasized the importance for owners of affected contracts to take mitigation measures. This includes locking the contract, taking snapshots, and migrating to new contracts without known vulnerabilities.
Security and prompt response are crucial to maintaining trust in the growing ecosystem of non-fungible tokens and smart contracts. Users and NFT owners should stay informed about updates from platforms and take necessary precautions to safeguard themselves against cyber threats.
